The Great Firewall of China is controlled by the government and has put in place a "learning algorithm" to block unapproved encrypted traffic. The only way to get encrypted traffic through the firewall is to get it approved from the government.

5 Answers
5

I've actually very recently had to do that. We have a set of servers in Beijing that must be able to communicate with our US offices securely (mostly for sending logs and audit data). We use openvpn to do it in all other geolocations, but we have quickly discovered that openvpn traffic is rapidly recognized and blocked in China -- because openvpn handshake has telltale signs.

The somewhat ridiculous solution to this is to wrap openvpn traffic in stunnel. I can confirm that it works and hasn't been blocked so far. It's clearly not a great solution, since on top of the latency of all connections out of China, you're adding the latency of openvpn over tcp over tcp again, twice-encrypted, but at least it works, as opposed to not at all.

This "learning algorithm" probably means that the GFC first detects encrypted traffic which might be a VPN or Tor and then reconnects to the communication destination and tries to "speak" VPN or Tor to verify this suspicion. This active probing is confirmed to happen for the Tor network (details are here) and the technique might be similar if not the same for the recent block of VPN connections.

Now there is a lot of exciting research in the field of blocking-resistant communication. On the one hand, people are working on transport protocols which look like "randomness". Examples are obfs2 and Dust. Other circumvention protocols mimic existing protocols and would, as a result, survive a censor which chooses to whitelist the Internet. Examples are Code Talker Tunnel or StegoTorus. Mimicing other protocols usually provides stronger resistance but reduced throughput due to the steganographic overhead. After all, there are many censors which act highly different. The GFC is just one example. Therefore, we need many different circumvention protocols to tackle all the different censorship techniques.

While it will always be possible to transmit a couple of bits in a covert fashion, the challenge lies in low-latency systems which allow comfortable web surfing. That's what people want, after all. An overview of censorship-related security research is available here.

Off the top of my head, I can think of many ways to beat China's Great Wall, and some of these things may only be useful just once and they border on espionage.

You could always try doing what the head of the CIA did to move messages around

as stated earlier, use steganography to communicate in another channel, and then upload an image or video to a location where your partners can view or intercept them on their way to being uploaded, and exchange them with images that do not contain the code so that they can be studied and the hidden messages will have already been stripped out. Who knows, maybe the cafe owner is in on it...and you never even say hello to each other.

from a moving vehicle, such as a van, which cannot easily be tracked, use a satellite cellular phone with a hookup to a laptop to burst off a complete message

use a satellite dish to communicate (receive messages) with a satellite orbiting overhead

use the space in TCP/IP headers that are not being used in packets, and if the packets are not normalized, the data will get through to someone in the middle who can then normalize the messages and remove the encrypted message

post scores for games in a sport, which have no known meaning, other than to the partner you wish to communicate too

I am not sure if SMS messages are being "saved" in China, so if you use SMS to send a message, by the time that they know you are conducting espionage they may have deleted the messages sent

post a message in the obituaries, for a person which never existed, so as to convey a message

exchange a dictionary with a system, weekly, and use the dictionary to create meaning that is embed in the words chosen to craft your message, but that subset when used, is the message... and this can definitely be done because there are dozens of words in English that mean the very same thing, and while some may be archaic that makes the dictionary quite large, and hence, some words completely exchangeable for other words, on certain days, which have other meanings, and the use of one or more words in a sentence would mean something beyond that of the sentence.

go to gambling websites that can be monitored for your login, and make your gambling bets and the manner of play for each hand a code

pick up the computing bug! Write in a language that the Great Wall cannot hope to understand, such as in assembly language, and then post the code

as I understand it, there are many people that sell stolen CDs in open markets in China, so what I would do would be to save the disc that I wanted to drop, for a very special buyer...and only after they install it and decrypt the message would they be able to understand it. The messages do not have to be very long, and you could be sharing the new alphabet / dictionary, and not the message

order goods, and make the number of certain goods that you order from a shared catalog your code, such as the date that your next message will be sent

create, manufacture or steal something top secret and ship it, wherein the shipper or receiver knows which container, and which pallet contains the smuggled out stolen electronics device, images (possibly on a flash chip) that could be glued to any assembly, but which is electronically not in the circuit, which then has to be removed, and mounted on a reader, decrypted and read to be understood

have your travel monitored by your partners, and make the time of day that you turn lights on in certain rooms, leave your home, and the day of the week and month have meaning...in a set of data as to when someone can expect delivery of the secret messages. have that data relayed by an intermediary.

set up a travel to another country and once in that country, be debriefed

post stories anonymously on the Internet, in a blog, and make the subject title that you speak about have meaning sop that the story could be found, but the content not reveal the message

go to an Internet cafe, and make where you sit signify that you have information to drop...and leave your flash drive in the USB port by "accident." Have your partner retrieve the flash drive, and then depart.

place film or flash chip inside a capsule which can be swallowed, then go to a cafe, order coffee with your partner and drop in the capsule, and then exchange cups of coffee having them swallow the capsule with the media

Would you travel to China to relay a computer message?
–
ponsfonzeDec 27 '12 at 0:16

No, but I bet hundreds of people leave China every day to be debriefed about what is happening within the country of China regarding topics such as the military technologies, economics, manufacturing, and and research that is being done. Sorry if I was not too clear. As far as my traveling to China to commit espionage, I've applied to the CIA long ago and they never called me back. The amount of espionage that is ongoing at this time is off the hook! I took down a Chinese national at a biotech I worked at...and it took out the entire company.
–
T IDec 27 '12 at 3:40

Steganography was designed for exactly such scenarios. More broadly, look for concept of plausible deniability that helps people to cope with dangers of unaccounted activities in hostile environments.

Of course, in China's scenario, a dedicated service must be established in outer world to support steganography-enabled communication with Chinese oppressed network. I don't suppose it as problem though, as usually there's abundance of volunteering people supporting values of liberty in communication.

You might use low-bandwidth sidechannels. For example, one could set up a site offering pictures, and the site could sport a "thumbnail wall". HTTP protocol allows for requesting those thumbnails in any order, which means that using twenty pictures you can encode up to 20! (i.e., around 60 bits) in the request scheme. There is no way of detecting or blocking such a scheme short of computationally unfeasible statistical analyses, proxying with request order randomization, or HUMINT of course.

A more easily detectable scheme, with more bandwidth, allows encoding information in ETag and Proxy headers.

Then, one could try more cloak-and-dagger schemes: for example one could bounce ICMP packets with faked source address against a trusted (by the government) host. This kind of malicious activity is apparently not (yet) deemed dangerous, and several firewalled hosts will blissfully bounce back the ICMP packet towards the apparent source, thereby penetrating the firewall.

Then again, incredibly, the Great Firewall of China doesn't seem to care about spam. You'd be surprised at the quantity of unsolicited commercial emails, often containing bulky images, reaching the rest of the world from China. Probably, any sufficiently asymmetric traffic towards port 25/tcp is considered symptomatic of the presence of a Chinese criminal, and the firewall has other priorities. Thanks to some helpful spammers in Guangdong, I can confirm that sending back up to 1 Kb encrypted, compressed and base64-encoded error messages has no effect whatsoever, and the incoming connection keeps requesting relay for more and more spam, which is accepted (and discarded). This channel appears to be capable of about 64 kbit bidirectional.

All this requires encapsulating VPN traffic into different protocols, similar to what Haystack did. Other solutions exist - e.g. FreeGate -, but of course the more widely known they are, the faster Golden Shield is going to (try to) bust them. Simpler strategies aimed at defeating a firewall could just entail obfuscating an existing protocol using one-time pad and supplying rapidly changing external endpoints (that's what the ultrasurf utility did), and betting that you can come up with more obfuscations, and quicker, than the GFC people can come up with fixes.

The risk there, though, is that the GFC switch from "blacklist" to "whitelist" operation: first mowing down the traffic to manageable sizes, then actively rewriting rather than rerouting all known protocols, enforcing strong grammar checks and anomaly detection. For example, refusing HTTPS and TLS unless you accept a nonmatching, GFC-generated certificate to allow man-in-the-middle SSL decryption (claiming that this "does not limit responsible citizens", unless "they have something to hide"), and otherwise refusing all packets that it does not fully understand. This is more or less an answer to Ai Weiwei's statement, that the only way to control the Internet is to shut it down. And the answer would be "Well then, how about we do just that".